• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Cyber Security Frameworks and Controls

June 21, 2018 By Emil Hozan

Control-Flow

Data is a valuable asset and is a huge factor in many markets to help with production and sales. Interpreting trends and analyzing emerging markets is accomplished by correlating data. Maintaining this data in an appropriate fashion is just as important, especially when it comes to handling personal or sensitive data. Stepping it up even beyond that, matters of national security are to be handled securely as well as defined by preset standards that must be adhered to.

There are many standards and frameworks available, each describing what it does, but they all orient around one main aspect – handling data appropriately and securely. Let’s cover a high-level overview of some current controls that must be adhered to when handling certain sets of data:

– Health Information Trust Alliance Common Security Framework (HITRUST CSF)
This framework is the most widely-adopted among U.S. healthcare industries. It was developed to address many aspects of security, privacy and regulatory challenges organizations were facing. Incorporating foundational work from other known standards (ISO, NIST, PCI, HIPAA, etc.), this scaling framework works with the varying complexities of different organizations.

– Payment Card Industry Data Security Standard (PCI DSS)
Handling payment information properly is imperative, as fraud and identity theft are a serious threat. PCI DSS helps merchants and other financial institutions implement security standards and policies, as well as aiding vendors in understanding and implementing standards for secure payment solutions. Even with new technologies being introduced, securing transactions should still be a focal point for some organizations regardless of the options that are available.

– International Standards Organization (ISO/IEC) 27000-Series
This is a family of standards, the entirety of which focuses on helping manage your organization’s financial information, intellectual property, employee details and information entrusted by 3rd parties. ISO/IEC  27001 is best known regarding the requirements for Information Security Management Systems.

– National Institute of Standards and Technology (NIST)
In February 2013, the President of the United States recognized that the national and economic security of the U.S. was reliant on the function of its critical infrastructure. Thus, Executive Order (EO) 13636 was formulated and NIST worked with stakeholders to create the framework. Special Publication 800-53 specifically focuses on the security controls of federal systems and organizations participating in federal programs and the handling of private information.

– Control Objectives for Information and related Technologies (COBIT)
More geared for large enterprises, COBIT is a framework for governance and management of IT aimed at leading-edge business optimization and the growth. COBIT 5 is the only business framework for the governance and management of enterprise IT. It incorporates many globally accepted principles, practices, analytical tools and models to help build and increase trust in information systems.

With so many standards, knowing just which to use is a tough choice to make. A good thing to remember is that the standards can be used as a guideline and can be molded to better suite your organization’s needs. Guideline adherence is heavily affected by the number of employees, the business being conducted, and the type of data being used. The main things to bear in mind are: just as we wouldn’t want our Social Security number roaming the open Internet, we wouldn’t want our health information or other financial information floating around either. On a grander scale, business conducted with the federal government shouldn’t be taken lightly either. The recently adopted GDPR mandates compliance from any organization that collects personal data from an EU citizento ensures that data is handled properly. – Emil Hozan

 

References
hitrustalliance.net contributors. Understanding and Leveraging the CSF. Retrieved from https://hitrustalliance.net/understanding-leveraging-csf/
isaca.org contributors. COBIT 5 Framework. Retrieved from http://www.isaca.org/COBIT/Pages/COBIT-5-Framework-product-page.aspx
iso.org contributors. ISO/IEC 27000 family – Information security management systems. Retrieved from https://www.iso.org/isoiec-27001-information-security.html
Joint Task Force Transformation Initiative Interagency Working Group contributors April 2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf
NIST.gov contributors. New to Framework. Retrieved from https://www.nist.gov/cyberframework/new-framework
pcisecuritystandards.org contributors. PCI SECURITY. Retrieved from https://www.pcisecuritystandards.org/pci_security/
Stephenson, T. (January 9, 2017). Information Security Assurance: Which framework is right for you? Retrieved from https://www.controlscan.com/blog/right-information-security-assurance-framework/

Share This:

Related

Filed Under: Editorial Articles Tagged With: infosec

Comments

  1. michael says

    June 22, 2018 at 4:20 am

    Thank you for your useful and interesting article. I’d just like to point out that the 27000 series is jointly developed by the IEC and ISO. The correct designation is ISO/IEC 27000.
    I’d be grateful if you could please update your article to reflect this fact, also because IEC experts contribute a lot of their time and effort and are disappointed when their work is not acknowledged.

    Reply
    • Emil Hozan says

      July 6, 2018 at 9:41 am

      Hello Michael,

      Thank you very much for pointing that out – credit is due where credit is deserved. The change has been updated, we appreciate your feedback and continued support by reading our content.

      Regards,
      Emil Hozan

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use